From 62a6e8fd3494cca173707af696971a768a7b7831 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Thu, 3 Jul 2003 00:33:26 +0000
Subject: [PATCH] test against files-dir within the document-root of the
 webserver (this would allow uploads of scripts via vfs, and then execute them
 via the webserver)

---
 infolog/inc/class.vfs.inc.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/infolog/inc/class.vfs.inc.php b/infolog/inc/class.vfs.inc.php
index e32b50f38b..70e66fc87e 100644
--- a/infolog/inc/class.vfs.inc.php
+++ b/infolog/inc/class.vfs.inc.php
@@ -99,6 +99,19 @@
 		function vfs ()
 		{
 			$this->basedir = $GLOBALS['phpgw_info']['server']['files_dir'];
+
+			// test if the files-dir is inside the document-root, and refuse working if so
+			//
+			if (strstr($this->basedir,PHPGW_SERVER_ROOT) || strstr($this->basedir,$GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT']))
+			{
+				$GLOBALS['phpgw']->common->phpgw_header();
+				if ($GLOBALS['phpgw_info']['flags']['noheader']) 
+				{
+					echo parse_navbar();
+				}
+				echo '<p align="center"><font color="red"><b>'.lang('Path to user and group files HAS TO BE OUTSIDE of the webservers document-root!!!')."</b></font></p>\n";
+				$GLOBALS['phpgw']->common->phpgw_exit();
+			}
 			$this->fakebase = "/home";
 			$this->working_id = $GLOBALS['phpgw_info']['user']['account_id'];
 			$this->working_lid = $GLOBALS['phpgw']->accounts->id2name($this->working_id);